This is not a question about being able to disable SELinux on the fly - I see most resources on the web say it's not possible to move from SELinux enabled to disabled: you can go from targeted to permissive and that's that. Well, I'm seeing a change on-the-fly from permissive SELinux to disabled.
We build an OS image using atomic host based on CentOS 7.8; we have a custom kernel configuration and a small kernel patch applied (kernel 3.10.0-1127.13.1), plus some out-of-tree drivers for some of the hardware we use. We're running on dedicated x86-64 hardware, so to speak. On the board running CentOS we are deploying some containers, and at some point one of those was refusing to run. Its log was saying this:
Code: Select all
[root@localhost ~]# docker logs 7fd34ee21120 2>&1
selinux label is specified in config, but selinux is disabled or not supported
Code: Select all
[root@localhost ~]# sestatus
SELinux status: disabled
The box is not in this state anymore, but I have the journal saved from the box. I'm checking the last log with 'journalctl -D <dir> -b' and I see this on boot:
Code: Select all
Jul 31 13:39:32 localhost kernel: SELinux: Initializing.
Jul 31 13:39:32 localhost kernel: SELinux: Starting in permissive mode
[...]
Jul 31 13:39:35 localhost.localdomain kernel: SELinux: Completing initialization.
Jul 31 13:39:35 localhost.localdomain kernel: SELinux: Setting up existing superblocks.
Jul 31 13:39:35 localhost.localdomain kernel: type=1403 audit(1596191975.070:2): policy loaded auid=4294967295
Jul 31 13:39:35 localhost.localdomain systemd[1]: Successfully loaded SELinux policy in 120.027ms.
Code: Select all
Aug 02 07:49:05 localhost.localdomain dockerd-current[2122]: time="2020-08-02T00:49:05.626485735-04:00" level=error msg="containerd: start container" error="oci runtime error: selinux label is specified in config, but selinux is disabled or not supported\n" id=d6e993aaf3e5ce661147a57ce134c37a6ad9b8d767e88749fc75792c6d25c679
Has anybody seen this kind of behavior before?